Referring to FIG. 1, a Software Defined Network (SDN) network is a new network system structure, which integrates a plurality of control functions of a network into one controller by separating a control plane from a forwarding plane of the network and delivers control information through interactive communication between the controller and switching devices. The switching devices process data flows based on the control information. Specifically, the control information is delivered by using a flow table.
The flow table is a data flow processing rule delivered by the controller to the switching device, and a flow table inside the switching device includes flow entries. Referring to FIG. 2, a basic data structure of a flow entry includes three parts: a match field, counters, and instructions. The match field includes such data packet header information as a data flow ingress port, a source/destination MAC (Media Access Control) address, and a source/destination IP (Internet Protocol) address. When a data flow reaches the switching device, the switching device performs matching on the flow entries inside the switching device based on feature information of a data packet, for example, header information and an ingress port. Once a flow entry is matched, the data packet is processed according to operations specified in the instructions in the flow entry. The operations include, for example, discarding, forwarding, and modifying the data packet. In addition, after the data packet matches the flow entry, the switching device updates the counters corresponding to the flow entry. That is, the switching device may obtain, by using the counters, a quantity of data flows matching each flow entry, namely, actual traffic.
For an SDN architecture network shown in FIG. 1, when an attacker (for example, an attacker 14 in FIG. 1) tampers with a flow entry of a switching device (for example, S5 in FIG. 1) or the flow entry of the switching device is abnormal, a correct path (for example, Host 1→S1→S5→S9→S7→S3→Host 5 shown in FIG. 1) from a source host (for example, the Host 1 in FIG. 1) to a destination host (for example, the Host 5 in FIG. 1) delivered by a controller (for example, a controller 11 in FIG. 1) is tampered with to an incorrect path (for example, Host 1→S1→S5→S10→S7→S3→Host 5 in FIG. 1). The switching device S9 may be a security device, for example, a firewall or an IPS (English name: intrusion prevention system, Chinese name: intrusion prevention system). Due to such tampering performed by the attacker, the data flow bypasses a check performed by the security device. A fundamental reason is that the data flow forwarding rule delivered by the controller is inconsistent with an actual forwarding status of the data flow, and such inconsistency cannot be detected by using a technical means in the prior art.